CVE-2026-46140 | THREATINT

Description

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btmtk: validate WMT event SKB length before struct access btmtk_usb_hci_wmt_sync() casts the WMT event response SKB data to struct btmtk_hci_wmt_evt (7 bytes) and struct btmtk_hci_wmt_evt_funcc (9 bytes) without first checking that the SKB contains enough data. A short firmware response causes out-of-bounds reads from SKB tailroom. Use skb_pull_data() to validate and advance past the base WMT event header. For the FUNC_CTRL case, pull the additional status field bytes before accessing them.

PUBLISHED Reserved 2026-05-13 | Published 2026-05-28 | Updated 2026-06-01 | Assigner Linux

Product status

Default status

unaffected

d019930b0049fc2648a6b279893d8ad330596e81 (git) before c411cf1bfde951cfa821809cf4020ba177f76e0c

affected

d019930b0049fc2648a6b279893d8ad330596e81 (git) before 624fb79dadc1b65757986a9d0fdde5c0cf3fe179

affected

d019930b0049fc2648a6b279893d8ad330596e81 (git) before 70d37a8b9229e394cc17ddad47e90b81d80fcd09

affected

d019930b0049fc2648a6b279893d8ad330596e81 (git) before 634a4408c0615c523cf7531790f4f14a422b9206

affected

f0457842215438786e2e205ad06a4fbb8ab63cd0 (git)

affected

6.6.142 (semver) before 6.7

affected

Default status

affected

6.11

affected

Any version before 6.11

unaffected

6.12.88 (semver)

unaffected

6.18.30 (semver)

unaffected

7.0.7 (semver)

unaffected

7.1-rc3 (original_commit_for_fix)

unaffected

References

git.kernel.org/...c/c411cf1bfde951cfa821809cf4020ba177f76e0c

git.kernel.org/...c/624fb79dadc1b65757986a9d0fdde5c0cf3fe179

git.kernel.org/...c/70d37a8b9229e394cc17ddad47e90b81d80fcd09

git.kernel.org/...c/634a4408c0615c523cf7531790f4f14a422b9206

cve.org (CVE-2026-46140)

nvd.nist.gov (CVE-2026-46140)

Download JSON

help @ threatint.eu